This first GET request always appears in an attempt, every time, I have not seen single attempt without this request (what does the bot finds out in this request?);
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:43:55 +0100] "GET /posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17 HTTP/1.0" 200 53751 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
1;
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:44:06 +0100] "GET /ucp.php?mode=confirm&id=b18ce156deecfd6a345b75920d10b1ba&type=3&sid=a1e30c2fc0acf5fb7e06d246fd142797 HTTP/1.0" 200 4884 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:44:14 +0100] "POST /posting.php?mode=reply&f=40&sid=a1e30c2fc0acf5fb7e06d246fd142797&t=86 HTTP/1.0" 200 53598 "http://forum.xx.info/posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:44:20 +0100] "GET /ucp.php?mode=confirm&id=9006fed82fb7d9940884d6fb550609f0&type=3 HTTP/1.0" 200 5386 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:44:28 +0100] "POST /posting.php?mode=reply&f=40&sid=a1e30c2fc0acf5fb7e06d246fd142797&t=86 HTTP/1.0" 200 53598 "http://forum.xx.info/posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:44:33 +0100] "GET /ucp.php?mode=confirm&id=d7ca691f51333bf436879e585e68e315&type=3 HTTP/1.0" 200 5501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
Code: Select all
xx.113.16.66 - - [02/Feb/2009:08:44:41 +0100] "POST /posting.php?mode=reply&f=40&sid=a1e30c2fc0acf5fb7e06d246fd142797&t=86 HTTP/1.0" 200 53598 "http://forum.xx.info/posting.php?mode=reply&f=40&t=86&sid=559b49ce72c1f1a6d43130e7a46ddc17" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)"
Maybe this will be useful for someone who actually understands what is happening under this procedure. For now I had to close all the forums for "registered only" (version 3.0.4).